Search results for "Information security"

showing 10 items of 102 documents

Abductive innovations in information security policy development : an ethnographic study

2019

Developing organisational information security (InfoSec) policies that account for international best practices but are contextual is as much an opportunity for improving InfoSec as it is a challenge. Previous research indicates that organisations should create InfoSec policies based on best practices (top-down) and simultaneously encourages participatory development (bottom-up). These contradictory suggestions place managers in a dilemma: Should they follow a top-down or bottom-up approach? In this research, we build on an ethnographic approach to study how an innovative engineering company (MachineryCorp) managed the contradiction when the firm developed an InfoSec policy. Drawing on the …

ISS policyKnowledge managementetnografiabusiness.industryBest practice05 social sciencestietoturvapolitiikkaorganisaatiot02 engineering and technologyInformation securityLibrary and Information Sciencesyrityksetinnovaatiotabductive innovation020204 information systemsPolitical science0502 economics and businessEthnography0202 electrical engineering electronic engineering information engineeringInformation security policytietoturvabusiness050203 business & managementInformation Systemsinformation security policy development
researchProduct

Aligning Two Specifications for Controlling Information Security

2014

Assuring information security is a necessity in modern organizations. Many recommendations for information security management exist, which can be used to define a baseline of information security requirements. ISO/ IEC 27001 prescribes a process for an information security management system, and guidance to implement security controls is provided in ISO/IEC 27002. Finnish National Security Auditing Criteria (KATAKRI) has been developed by the national authorities in Finland as a tool to verify maturity of information security practices. KATAKRI defines both security control objectives and security controls to meet an objective. Here the authors compare and align these two specifications in…

Information Systems and ManagementComputer Networks and Communicationsinformation securitysecurity specification alignmentComputer securitycomputer.software_genreSecurity information and event managementInformation security auditKATAKRIsecurity managementSafety Risk Reliability and Qualitysecurity audit criteriaInformation security management systemta113Certified Information Security ManagerInformation securitySecurity controlsISO/IEC 27001ISO/IEC 27002ITIL security managementRisk analysis (engineering)Security servicesecurity cerificationHardware and ArchitectureBusinessSafety ResearchcomputerSoftwaresecurity controls
researchProduct

Toward a Unified Model of Information Security Policy Compliance

2018

Information systems security (ISS) behavioral research has produced different models to explain security policy compliance. This paper (1) reviews 11 theories that have served the majority of previous information security behavior models, (2) empirically compares these theories (Study 1), (3) proposes a unified model, called the unified model of information security policy compliance (UMISPC), which integrates elements across these extant theories, and (4) empirically tests the UMISPC in a new study (Study 2), which provided preliminary empirical support for the model. The 11 theories reviewed are (1) the theory of reasoned action, (2) neutralization techniques, (3) the health belief model,…

Information Systems and ManagementManagement scienceComputer scienceturvallisuus05 social sciencesTheory of planned behaviorRational choice theoryContext (language use)02 engineering and technologyInformation securitySecurity policyinformation system securityComputer Science ApplicationsManagement Information SystemsTheory of reasoned actionEmpirical researchunified theory020204 information systems0502 economics and business0202 electrical engineering electronic engineering information engineering050211 marketingsurveyBalance theoryInformation Systemstietojärjestelmät
researchProduct

An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric

2015

Fear appeals, which are used widely in information security campaigns, have become common tools in motivating individual compliance with information security policies and procedures. However, empirical assessments of the effectiveness of fear appeals have yielded mixed results, leading IS security scholars and practitioners to question the validity of the conventional fear appeal framework and the manner in which fear appeal behavioral modeling theories, such as protection motivation theory (PMT), have been applied to the study of information security phenomena. We contend that the conventional fear appeal rhetorical framework is inadequate when used in the context of information security t…

Information Systems and Managementbusiness.industryContext (language use)Information securityPublic relationsSecurity studiesAsset (computer security)Fear appealAppeal to fearComputer Science ApplicationsManagement Information SystemsRhetorical questionSanctionsPsychologybusinessInformation SystemsMIS Quarterly
researchProduct

Speak their Language : Designing Effective Messages to Improve Employees’ Information Security Decision Making

2018

Employee disinterest in information security remains one of the greatest impediments to effective information security management programs. How can organizations enhance the persuasiveness of the information security messages used to warn employees of threats and encourage employees to take specific actions to improve their security? We use fear appeal theory and the elaboration likelihood model to argue that security messages presented using more personally relevant language are more likely to induce employees to engage in the recommended protective security behaviors. Our strategy uses organization identification theory to segment employees into two groups and then develops security messa…

Information Systems and Managementinformation securityStrategy and Managementmedia_common.quotation_subjectpäätöksentekoorganisaatiot02 engineering and technologydecision makingsecurity messages020204 information systemsManagement of Technology and Innovation0502 economics and businesstyöntekijätviestit0202 electrical engineering electronic engineering information engineeringta518tietoturvamedia_commonviestintäta113organizationsbusiness.industry05 social sciencesInformation securityPublic relationsGeneral Business Management and AccountingyrityksetemployeesmessagesRhetorical theoryRhetoricbusinessPsychology050203 business & management
researchProduct

Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures

2020

Abstract A principal concern of organizations is the failure of employees to comply with information security policies (ISPs). Deterrence theory is one of the most frequently used theories for examining ISP violations, yet studies using this theory have produced mixed results. Past research has indicated that cultural differences may be one reason for these inconsistent findings and have hence called for cross-cultural research on deterrence in information security. To address this gap, we formulated a model including deterrence, moral beliefs, shame, and neutralization techniques and tested it with the employees from 48 countries working for a large multinational company.

Information Systems and Managementmedia_common.quotation_subjectPrincipal (computer security)030508 substance abuseShame02 engineering and technologyInformation securityManagement Information Systems03 medical and health sciencesMultinational corporation020204 information systemsCultural diversity0202 electrical engineering electronic engineering information engineeringSanctionsInformation security policyDeterrence theoryBusiness0305 other medical scienceInformation SystemsLaw and economicsmedia_commonInformation & Management
researchProduct

Information Security and Privacy in Medical Application Scenario

2010

This chapter discusses security and privacy aspects for medical application scenario. The chapter analyze what kind security and privacy enforcements would be needed and how it can be achieved by technological means. Authors reviewed cryptographic mechanisms and solutions that can be useful in this context.

Information privacyCloud computing securityPrivacy by Designbusiness.industryPrivacy softwareInternet privacyComputer securitycomputer.software_genreSecurity information and event managementInformation sensitivityInformation security managementbusinessPersonally identifiable informationcomputer
researchProduct

Information Security Practices in Organizations: A Literature Review on Challenges and Related Measures

2018

This paper reports a systematic literature review that explores challenges related to information security practices in organizations and the ways these challenges are managed to avoid security breaches. We focused on empirical evidence from extant research studies and identified four general challenges re-lated to: (1) security rules and procedures, (2) individual and personal risks, (3) culture and security awareness, and (4) organizational and power relations. To manage these risks, nine measures were prominent in the selected studies. Training and organizational collaboration across the hierarchical levels were widely used to enhance the security culture. In addition, awareness campaign…

Information securityInformasjonssikkerhet
researchProduct

Cloud Sourcing and Paradigm Shift in IT Governance: Evidence from the Financial Sector

2020

In the digital age, organizations are increasingly shifting their applications, services and infrastructures to the cloud to enhance business agility and reduce IT-related costs. However, in moving applications and data to cloud resources organizations face new risks of privacy violations. To manage this risk, organizations need to be fully aware of threats and vulnerabilities affecting their digital re-sources in cloud. Although some previous studies have focused on the emerging challenges of cloud adoption to governance and control, we know little regarding the paradigm shifts in IT governance processes and practices. To address this gap, we conducted an exploratory case study in two larg…

Information securityScope (project management)business.industryCorporate governanceControl (management)Cloud sourcingCloud computingInformation securityBusiness agilityOutsourcingCloud sourcing; Information security; IT governanceParadigm shiftIT governanceBusinessIndustrial organization
researchProduct

A Model for Digital Archival of Municipal Documents

2006

While outsourcing IT infrastructure and various IT functions is common, outsourcing the digital archival of municipal documents has not been realized. The reasons for this include the complexity of operations, the lack of models complying with governmental regulation on archival as well as conflicting requirements on the security of sensitive information and public access. This paper presents a case where a municipality aims at outsourcing in a pilot project supported by researchers in project Kunda. Project Kunda applies a model utilizing a combination of contemporary standards, technologies and research results to achieve a replicable way to outsource the digital archival of municipal doc…

InformationSystems_GENERALManagement information systemsInformation sensitivityKnowledge managementbusiness.industryComputer scienceInformation technology managementInformation technologyProfessional communicationInformation securitybusinessKnowledge process outsourcingOutsourcing2006 10th IEEE International Enterprise Distributed Object Computing Conference Workshops (EDOCW'06)
researchProduct